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-  Challenges 
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Attack  Traceback 


Trace  back  to  original 
attack  across  stepping 


ii  Prevalent  Approaches 
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IP 
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•  Marking  (e.g.  PPM,  DPM) 

•  Logging 

_ J 

•  Algebraic  approach 

•  Watermarking 

•  Correlation 

Others 


•  Ingress  router  filtering/  Back  bone  router  filtering 

•  Input  debugging 

•  IPSec 

•  Out-of-band  messages  (e.g.  ICMP) 

•  Active  proving,  tracing  by  hand 

•  Using  IDS,  honetpot 

•  Passive  observation 

•  Social  engineering 


None  of  them  work 
for  our  traceback 
problem 
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Grimm’s  Fairy  Tales 


“Hansel  and  Gretel” 


Courtesy  by  Childrensillustrators 


i§  Our  Approach:  Pebbletrace 


Key  idea: 

(1)  Take  advantages  of  attacking  traffic  and  trace 
backwards  to  the  attacker 

(2)  Build  pebbleware  with  zero-day  vulnerabilities 
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SSf?  Steps  of  Pebbletrace 


Step  1:  Victim 
uploads 
attack 
information 


Step  2: 

Administrator 

generates 

Pebbleware 


Step  3: 
Pebbleware 
deployment 


Step  4: 
Pebbleware 
goes  across 
stepping- 
stones 


Step  5: 
Pebbleware 
executes  on 
attacker's 
machine  & 
collect  info 
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Architecture  of  Traceback  Server 
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Key  ideas 

—  Design  Pebbleware 
based  on  client-side 
zero-day  vulnerabilities 

—  Traceback  attacker  once 
the  file  containing 
Pebbleware  is  opened 


Attacker  Steals  Files 


Imbedded  Seasoning 

Pebbleware  Pebbleware 


- \ 

Imbed  Pebble-ware 
into  the  file  to  be 
stolen 
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\ 

Hide  pebbleware 
among  files  to  be 
stolen 

_ J 


\ 

Support  multiple 
file  types  (e.g.  .pdf, 
.doc) 

_ J 


\ 

Create  multiple 
pebbleware  to 
increase  probability 
of  success 

_ J 
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Case  Study: 

Traceback  File  Theft  at  Amazon  EC2 


Bcora  Core  8 
MS:  e £2-184-72-1 B2- 
33.compuSe-1  .amazoriaws.Kjm 


•  Zero  day:  Adobe  util.printf() 
(CVE-2008-2992) 

•  Use  heap  spray  techinique 

•  Attacker’s  firewall  and  anti¬ 
virus  tools  do  not  react  to  the 
traceback. 

•  Attacker’s  IP,  network 
interfaces,  snapshot,  etc.  are 
identified. 


Eve  [attacker] 

Windows 

IP:  138.1 46. 1BO.20 
XP  SP2 


y 

Traceback 

Server 


Windows  7 
IP:  7&.10O.D8.223 


Due  to  legal  issues,  the  attack  in  the  case  study  is  constructed  for  study  based  on  possible 
behaviors  of  real  attackers,  not  accessible  by  public. 
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•  Attacker  steals  confidential  information  (e.g. 
bank  password)  directly  with  hacker  tools. 

•  How  to  imbed  Pebbleware? 

Focus  on  a  scenario: 

Traceback  botmasters  in  cloud 
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Botnet  Attacks  in  Cloud 


•  Scenarios 

-  Communicating  with  victims 

-  C&C  servers  and  stepping  stones  in  clouds 

-  A  centralized  C&C  server 

-  Stepping  stones:  VPN,  proxies  and  SSH  tunneling 

-  Symmetric  encryption 

•  RC4:  Zeus,  Feederbot;  AES:  Wraith,  Waledac;  DES:  Ozdok 

•  Traceback:  identify  the  botmaster  behind  stepping  stones 


(tootmaster) 
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Extra  Challenges 


No  file  to  integrate 
Pebbleware 


Encrypted  communication 


Involving  multiple  cloud 
service  providers 


Short  lifetime  vs.  long 
stepping-stones 


Sensitive  to  false  positives 
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A  General  Approach  to 
Pebbletracing  Botmaster 


Atlackei 
(Potmasier) 


Step  1 :  Key  identification 
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Victims  {Pots) 


Trace  back 
server 


Step  2:  Pebbleware  for  finding 
botmasters  behind  stepping  stones 


§ate  Step  1:  Key  Identification 


•  Finding  the  key  given  a  memory  image  and 
encrypted  traffic 

•  Constraints 

-  No  source  code 

-  Abnormal  format  patterns 

-  Hard  to  verify  candidate  keys 

-  Requiring  low  false  positives 


SSf?  A  Key  Identification  Scheme 
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•  Observations 

•  Fuzzy  delimiter  patterns  may  be  available 

•  Characteristics  of  symmetric  keys 

•  Randomness  of  ciphertext  mostly  from  symmetric 
encryption  schemes 
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Botmasters 

•  Exploit  zero-day  vulnerabilities 

-  Vulnerabilities  of  C&C  servers 

-  Client-side  vulnerabilities 

•  Hard  to  select  zero-days 

•  Hide  Pebbleware  into  stealth  traffic 

•  Option  1:  from  victim 

•  Option  2:  from  traceback  server  (e.g. 
pretend  to  be  a  victim) 


5h1C^  Case  Study:  Traceback  Zeus  Botmaster 
~  in  Opsource  Cloud 


HTTP  GET  configuration  file 

- > 

RC4  Encrypted  configuration  file 

< - 

RC4  encrypted  stolen  data 


Basic  Zeus  protocol 
between  bots  and  C&C 


server 
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Case  Study:  Traceback  Zeus  Botmaster  in 

Opsource  Cloud 


Victim  {toot) 


IP:  GB.17fl.232.13G, 
192.1GB. 153. G 


Stepping-stone 
(VPN  server) 


r 


Opsource  Cloud 


ntrcler.' Receiver 
(C&C  septer) 


IP:  192.1GB.  153.3 
Ubuntu  10.04 
Zeus  1.4.2 


IP:  192.1GB.  153.4 
Windows  XP  (SP2> 
Wineshark  1.G.2 


Attacke 
(botmaster) 

IP:  192.1GB.153.3 
Windows  XP  (SP2J 
Firetox  3.6.11  with  Adobe  Flash 
□login  10.2.152.26 
OpanVPN  l.fl.3 


Traceback 

sewer 


IP:  192.1GB.  153.2 
Ubunlu  10.04 

Portal:  Ruby  on  Rails  (Ruby 
1.B.7,  Rails  2.3.5) 

Matasoloit  platform  3.B.0-dav 
Volatility  2.0 
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Five  Steps  to  Traceback  Zeus  Botmaster 


Step  1:  Obtaining  Information; 


Step  2:  Pebble  1 — uploading  the 
backdoored  control  panel; 

Step  3:  Pebble  V — Replacing  the 
control  panel; 

Step  4:  Botmaster  logins  to  C&C 
and  is  logged  and  redirected; 

Step  5:  Pebble  2 — Penetrate 
stepping-stones  collect  attacker 
information. 


Stepping-stone 
(VPN  server) 


introller/Receiver 
(C&C  sewer) 


tep  2  &  3 


Attacker 

(botmaster) 


(bot) 


Traceback 

server 
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Step  1:  Key  Identification  of  Zeus  Botnet 


Identify  RC4  keys  of  Zeus  Bots 


-  Pattern  filter:  2  zero  bytes  + 
256-400  bytes  +  2  zero  bytes 


-  Entropy  Analyzer:  >7.5 

-  Verifier 

•  Characteristics  of  key:  a 
permutation  of  values  in  0— 
255 


•  Entropy  verifier:  the  candidate 
key  with  largest  entropy  drop  is 
the  real  key 
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Identified  key  &  Decrypted  Traffic 


4863  0012fe0:  0000  0000  0000  0000  0000  0000  0000  0000  - 

4864  0012ff0:  0000  0000  0000  0000  0000  0000  0000  0000  - 
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4886  0013150: 198c  5d90  1094  4682  4c98  43a2  3b9d  2f95  ,.]...F.N.C.^/. 

4887  0013160:  2ea7  2bac  356b  21b0  2774  0000  (Mfi  0000  ■.+.5k!.,t.„ 

4888  0013170:  0000  0000  0000  0000  0000  0000  0000  0000  - 

4889  0013180:  0000  0000  0000  0000  0000  0000  0000  0000  - 
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A  detected  S  table  of  a  Zeus  bot 


A  decrypted  traffic  of  a  Zeus  bot 


slAI^  Performance  of  Entropy  Verifier 
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•  Two  groups  of  bots 

I.  Homegrown 

II.  Wild  caught 


•  Outliers:  the  correct  keys 
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Performance  of  the  Key  Identification 

Scheme  in  Zeus  Botnets 


Time  Cost  (Group  I) 


-Our  proposed  scheme 

Traditional  key  scheduling  checks  on  each  byte 


#  of  S  arrays  output 


Time  Cost  (Group  II) 


-Our  proposed  scheme 

Traditional  key  scheduling  checks  on  each  byte 


Performance  of  Phases  (Group  I) 


Performance  of  Phases  (Group  II) 


#  of  suspected  region 

1.00E+06 

after  pattern  filters 

1.00E+05 
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1  1.00E+03 
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o 

after  key  scheduling 
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1.00E+00 

xxxxxxxxxx 
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Index  of  Bots 
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12 
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pattern  filters 
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entropy  filter 
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Attacker  Information  Detected 


•tj  Applications  Places  System 
!  O0  Traces:  index  -  Mozilla  Firefox 

Eile  Edit  yiew  History  Bookmarks  Iools  Help 
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Logged  in  successfully 


Listing  traces 


Os  Mac  Arch  Language  Connection  Tree 


TAP  Win32  Adapter 
OAS  -  Packet 
Scheduler  Min* port 
Hardware  MAC: 

OO  fT  f9  e9  5c  41  IP 
Address  0.0.0.0 
Net  mask  :  0  0  0  0 
MS  TCP  Loopback 
interface  Hardware 
MAC: 

00  00  00  00  00  00  IP 
BOTMASTER  Address  127.0.0.1 
Netmask  :  255.0.0.0 
AMD  PCNET  Family 
PCI  Ethernet  Adapt ei 
•  Packet 
Miniport 
MAC: 

000c2*89q  IP 
Address 
192  168  153  3 
Netmask 
255  255  255.0 


Done 
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name,  expiorer.exe  pid  2032  name 
VMwareTray.exe  pid  128  name 
VMwareUser  exe  pid:  164  name 
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McSACore  exe  pid  664  name 
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pid  800  name  Mcshieid  exe  pid  1148 
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capiws  exe  pid  1532  name  vmtooisd  exe 
pid  1476  name  svchost  exe  pid  332  name 
VMUpgradeHeiper  exe  pid  2956  name 
rundil32.exe  pid:  2384  name  aig  exe  pid 
1892  name  wuauclt  exe  pid:  I960  name 
mcsysmon.exe  pid:  576  name  firefox  exe 
pid  3256  name  cmd  exe  pid  4040  name 
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notepad  exe* 
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224.0.0  Onetmask: 

240  0  0  Ogateway 
192  168  153  3  subnet 
255  255  255  255netmask 
255  255  2S5  2S5gateway 
192  168  153  3  subnet 
255  255  255  2S5netmask 
255  255  255  255gateway 
192168153  3 


report  Shwr  Edn  Destroy 


Pf  tracebac...  (T)  wenjielin.  ^  Network  ...  -h  Traces:  in... 1  E3  root®  10-..  tracebac...  (T)  Terminal  __ 
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Conclusion 


•  Traceback  Internet  attacks 

-  Attacker  steals  files 

-  Attacker  steals  information 

•  Traceback  botmaster  in  clouds 

•  Future  work 

-  Attacker  communicates  with  victims  through 
social  networks 


T  '  H  •  E  I 

OHIO 

SKTE 

UNIVERSITY 


Publications 


•  W.  Lin  and  D.  Lee,  Traceback  Attacks  in  Cloud —  Pebbletrace  Botnet,  IEEE  ICDCS  SPCC,  2012 

•  Y.  Hsu  and  D.  Lee,  Machine  Learning  for  Implanted  Malicious  Code  Detection  with  Incompletely  Specified  System 
Implementations,  IEEE  ICNP  FIST,  2011 

•  G.  Shu  and  D.  Lee,  "A  Formal  Methodology  for  Network  Protocol  Fingerprinting",  IEEE  Trans  on  Parallel  and  Distributed 
Systems,  2011 

•  Z.  Liu,  G.  Shu  and  D.  Lee,  Instant  Messaging  Security,  in  Network  Security,  Administration  and  Management:  Advancing 
Technologies  and  Practices,  D.  C.  Kar  and  M.  R.  Syed,  ed.,  IGI  Global,  2010 

•  F.  Yu,  V.  Gopalakrishnan,  K.  K.  Ramakrishnan  and  D.  Lee,  “Loss-tolerant  Real-time  Content  Integrity  Validation  for  P2P 
Video  Streaming”,  COMSNETS  2009 

•  F.  Yu  and  D.  Lee,  "Internet  Attack  Traceback  -  Cross-validation  and  Pebble  Tracing",  IEEE/DHS  International  Conference  on 
Technologies  for  Homeland  Security,  May  2008 

•  Y.  Hsu,  G.  Shu  and  D.  Lee,  “A  Model-based  Approach  to  Security  Flaw  Detection  of  Network  Protocol  Implementations”, 
IEEE  ICNP  Oct  2008 

•  G.  Shu,  Y.  Hsu  and  D.  Lee,  “Fuzz  Testing  and  Communications  Protocol  Security  Flaws”,  June  FORTE  2008 

•  G.  Shu,  D.  Chen,  Z.  Liu,  N.  Li,  L.  Sang  and  D.  Lee,  “VCSTC:  Virtual  Cyber  Security  Testing  Capability  -  An  Application 
Oriented  Paradigm  for  Network  Infrastructure  Protection”,  TESTCOM/FATES  June  2008 

•  P.  Pederson,  D.  Lee,  G.-Q.  Shu,  D.  Chen,  Z.  Liu,  N.  Li  and  L.  Sang,  "Virtual  Cyber-Security  Testing  Capability  for  Large 
Scale  Distributed  Information  Infrastructure  Protection",  IEEE/DHS  International  Conference  on  Technologies  for  Homeland 
Security,  May  2008 


T  '  H  •  E  I 

OHIO 

SKTE 

UNIVERSITY' 


Reference 


[1]  Sony  Attacked  Again,  Passwords  and  Other  Data  Stolen  http://threatpost.com/en  us/blogs/sonv-attacked-again- 

passwords-and-other-data-stolen-0603 1 1 . 

[2]  Paris  G20  files  stolen  in  cyber  attack  http://www.homelandsecuritvnewswire.com/paris-g20-files-stolen-cyber-attack. 

[3]  Hacked:  Data  breach  costly  for  Ohio  State,  victims  of  compromised  info 

http://www.thelantem.com/campus/hacked-data-breach-costlv-for-ohio-state-victims-of-compromised-info- 1.1831311. 

[4]  S.  C.  Lee  and  C.  Shields,  “Tracing  the  Source  of  Network  Attack:  A  Technical,  Legal  and  Societal  Problem”,  In  Proc. 

of  the  2001  IEEE  Workshop  on  Information  Assurance  and  Security ,  June  2001. 

[5]  Guang  Yao,  Jun  Bi,  Zijian  Zhou,  “Passive  IP  traceback:  capturing  the  origin  of  anonymous  traffic  through  network 

telescopes”,  Proceedings  of  the  ACM  SIGCOMM  2010. 

[6]  Zeus  (trojan  horse),  http://en.wikipedia.org/wiki/Zeus  (trojan  horse). 

[7]  Zeus:  King  of  the  Bots, 

http://www.svmantec.com/content/en/us/enterprise/media/securitv  response/whitepapers/zeus  king  of  bots.pdf. 

[8]  Zeus  Tracker,  https://zeustracker.abuse.ch/. 

[9]  John  the  Ripper  password  cracker,  http  ://www.  openwall.  com/ i  ohn/. 

[10]  Taking  over  Zeus  Botnet,  http://xs-sniper.com/sniperscope/Zeus/CnC-Pwn-with-dir-traversal.txt 

[11]  Zeus  botnets'  Achilles'  Heel  makes  infiltration  easy, 
http://www.theregister.co.uk/2010/09/27/zeus_botnet_hijacking/. 

[12]  Metasploit,  http://www.metasploit.com/. 

[13]  Metasploit  PHP  Executable  Download  and  Execute  payload, 
http://www.metasploit.com/modules/pavload/php/download  exec. 

[14]  CVE-201 1-0609,  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201 1-0609 

[15]  RC4  http://en.wikipedia.org/wiki/RC4 

[16]  Binsalleeh,  H.,  Ormerod,  T.,  Boukhtouta,  A.,  Sinha,  P,  Youssef,  A.,  Debbabi,  M.,  Wang,  L.,  On  the  analysis 
of  the  Zeus  botnet  crimeware  toolkit,  Privacy  Security  and  Tmst  (PST),  2010 

[17]  Adi  Shamir  and  Nicko  van  Someren,  Playing  hide  and  seek  with  stored  keys,  Lecture  Notes  in  Computer  Science, 

1999,  Volume  1648/1999,  118-124 


